The challenge of achieving passwordless user authentication is real given the prevalence of web applications that keep asking passwords. Complicating this issue further, in an enterprise environment, a single sign-on (SSO) service is often maintained but not all applications can be integrated with it. We envision a passwordless future which provides a frictionless and trustworthy online experience for users by integrating credential management and federated identity systems. In this regard, our implementation ROSTAM offers a dashboard that presents all applications the user can access with a single click after a passwordless SSO. The security of web passwords on the credential manager is ensured with a Master Key, rather than a Master Password, so that encrypted passwords can remain secure even if stolen from the server. We propose and implement novel techniques for synchronization (pairing) and recovery of this Master Key. We compare our solution to previous work using different evaluation frameworks, demonstrating that our hybrid solution combines the benefits of credential management and federated identity systems.

翻译：实现免密码用户认证的挑战切实存在，因为各类网络应用仍在不断要求输入密码。在企业环境中，这一难题更为复杂：虽然通常维护有单点登录服务，但并非所有应用都能与之集成。我们构想了一个免密码的未来，通过整合凭证管理与联合身份系统，为用户提供无摩擦且可信的在线体验。为此，我们的实现ROSTAM提供了一个仪表盘，用户在执行免密码单点登录后，只需一键即可访问所有可用的应用。凭证管理器中的网络密码安全由主密钥（而非主密码）保障，即使加密密码从服务器窃取，也能保持安全。我们提出并实现了用于该主密钥同步（配对）与恢复的新技术。通过使用不同评估框架与先前工作进行比较，我们证明本混合解决方案融合了凭证管理与联合身份系统的优势。